Over 800M+ DreamHost records exposed online in an unsecured database

Over 800 million records associated with WordPress users were exposed by a misconfigured cloud database before the owner was informed, reports Website Planet.

In a post on Website Planet, a website for web developers, cybersecurity researcher Jeremiah Fowler revealed that a database owned by US-based web host DreamHost is exposed and publicly accessible.

Fowler, together with WebPlanet’s team, found the unsecured database on April 16. The unsecured database seems to contain three years’ worth of records, between March 24, 2018, and April 16, 2021.



It contained information about DreamHost customers as well as WordPress accounts that were hosted on DreamHost’s servers.

Fowler claimed some leaked information was tied to users with email addresses ending in .gov and .edu. After receiving Fowler’s notice of responsible disclosure, DreamHost secured the database within hours.

DreamHost’s legal team was notified of the discovery on May 4, and a representative acknowledged that it was being passed along to them. It was, however, unclear how long it had been exposed, making it potentially vulnerable to phishing attacks. 

An exposed database can reveal information about the configuration, applications, operating systems, software, and build, which could uncover vulnerabilities if they were not patched or outdated. A cybercriminal can collect and use data in complex ways.


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.